Towards a moving target defense based on stochastic games and honeypots

Honeypots, which serve as active defense mechanisms, have historically played pivotal roles in cyberspace offensive and defensive countermeasure scenarios. However, with the advancement of honeypot recognition technologies, their effectiveness in real-world network defense has gradually diminished. In response, moving target defense (MTD) has recently solidified its position as a proactive cybersecurity strategy and a critical research frontier. MTD leverages heterogeneous, redundant deployments of service resources and randomization techniques to disrupt attack methods. However, despite their advantages, MTD systems face challenges related to high resource consumption. To address these limitations, we propose a moving target defense based on stochastic games and honeypots (GH-MTD) framework. This framework consists of four key modules: traffic detection, gaming, MTD, and honeynet. Firstly, malicious traffic is identified through a deep learning-based detection method. Secondly, a zero-sum game model is constructed to capture the decision-making dynamics between defenders and attackers in the context of moving target defense. Subsequently, a cross-scenario adaptive MTD module is designed to route different types of traffic to corresponding virtual server groups. Finally, a honeypot module is implemented to capture and analyze the specific attack behaviors of malicious actors. By integrating honeynet probes with real services and employing attack behavior analysis alongside internet protocol (IP) address redirection techniques, the GH-MTD system achieves a defense response that is both cost efficient and highly effective. Empirical evaluation reveals a 5.5-fold enhancement in attack diversion probability through benchmarking with service-oriented MTD architectures, while the capture rate surpasses that of conventional honeypots by 3.4 times. Particularly against real attackers, GH-MTD exhibits 5.6 times more captured packets and extends the time consumed by attackers by 1.5 times over that of standalone honeypots. In our experiments, we evaluate the architecture's performance against various attack methods, including automated scripts, manual attacks, and assaults by high-level penetration testers. The results demonstrate that the GH-MTD architecture performs exceptionally well, particularly in mitigating and countering advanced, sophisticated attacks, thereby demonstrating its effectiveness in modern network defense strategies.